PACS hack lawsuit tossed

A federal judge has dismissed a class-action lawsuit filed by patients over a data breach at a four-location radiology practice and its countrywide parent company.

The plaintiffs alleged that a 2019-2020 hack of a picture archiving and communication system operated by Mount Kisco, N.Y.-based Northeast Radiology, which is corporately managed by 47-state Alliance HealthCare Services (now part of Akumin Inc.), had burdened them with an “ongoing imminent risk” of identity theft and fraud.

The claims included negligence, breach of contract, violation of a New York General Business Law section and “intrusion upon seclusion.” The patients added that, unlike credit-card theft, this type of privacy infringement gives the victimized no sure way to halt the dissemination of stolen personal information.

The PACS housed more than 1.2 million patient records, although the hack seems to have exposed those from only 29 patients.

Soon after notifying the public of the crime in 2020, Northeast stated there was “no evidence that any personal information was misused by the unauthorized individuals, and Northeast Radiology is not aware of any instances of fraud or identity theft as a result of this incident.”

In this week’s decision,[1] handed down Monday, U.S. District Judge Vincent L. Briccetti rejected the plaintiffs’ arguments and dismissed the case.

He ruled the plaintiffs, Jose Aponte II and Lisa Rosenberg, “failed to allege the type of concrete injury-in-fact necessary to sustain their claims under established standing principles.”

More from Briccetti’s decision as lightly edited for clarity by Law 360:

Even if plaintiffs lost some measure of privacy and that privacy was part of the bargain for medical services, [they] haven’t alleged any concrete harm from the alleged data breach. If plaintiff[s] bargained for data security, and no third party has misused [their] data, then plaintiffs have received exactly what [they] paid for.”

The judge further found that, contrary to the plaintiffs’ claims, Northeast had not “caused unauthorized access by third parties that intruded upon their seclusion,” which is a sufficient injury to confer standing, Law 360 notes.

Briccetti stated that the hackers, not the practice, improperly accessed the data.

Dave Pearson

Dave P. has worked in journalism, marketing and public relations for more than 30 years, frequently concentrating on hospitals, healthcare technology and Catholic communications. He has also specialized in fundraising communications, ghostwriting for CEOs of local, national and global charities, nonprofits and foundations.

Around the web

The patient, who was being cared for in the ICU, was not accompanied or monitored by nursing staff during his exam, despite being sedated.

The nuclear imaging isotope shortage of molybdenum-99 may be over now that the sidelined reactor is restarting. ASNC's president says PET and new SPECT technologies helped cardiac imaging labs better weather the storm.

CMS has more than doubled the CCTA payment rate from $175 to $357.13. The move, expected to have a significant impact on the utilization of cardiac CT, received immediate praise from imaging specialists.